verification as if your life depends on it - netlib · 2001-05-27 · title: rob gerth - spin01.pdf...

Copyright © 2001 Intel Corporation.

SCLStrategic CAD Labs

Leading the way in CAD

1

Verification as if your life Verification as if your life depends on itdepends on it

Rob GerthRob GerthMay 19, 2001May 19, 2001




2

Where it all started (for Intel)Where it all started (for Intel)

??In 1994, Intel took a $475M charge against In 1994, Intel took a $475M charge against revenues to cover replacement costs and revenues to cover replacement costs and inventoryinventory writedownwritedown due to the Pentium® due to the Pentium® FDIV problemFDIV problem–– Lousy crisis managementLousy crisis management

–– But, postBut, post--silicon errata are extremely expensivesilicon errata are extremely expensive

–– Nothing wakes up higher management better…Nothing wakes up higher management better…

–Strategic CAD Labs (SCL) founded as a result




3

Strategic CAD Labs (SCL)Strategic CAD Labs (SCL)

Invent design technologies that will be critical to IntelInvent design technologies that will be critical to IntelHorizon: 3+ yearsHorizon: 3+ years33 researchers; 33 researchers; 6 opens6 opens

MPG

FTs

DPG EPG

SCL

Mobile Products

Desk Top Products

Enterprise Products

WCCG

Wireless Products

ICG

CommunicationProducts

Intel Architecture Group

Tools ResearchDesign Technology

http://http://intelintel.com/research/.com/research/sclscl




4

DisasterDisaster

??In 1994, Intel took a $475M charge against In 1994, Intel took a $475M charge against revenues to cover replacement costs and revenues to cover replacement costs and inventoryinventory writedownwritedown due to the Pentium® due to the Pentium® FDIV problemFDIV problem–– Lousy crisis managementLousy crisis management

–– But, postBut, post--silicon errata are extremely expensivesilicon errata are extremely expensive

–– Also, nothing wakes up higher management Also, nothing wakes up higher management better…better…

–Strategic CAD Labs (SCL) was founded as a result




5

Seven years laterSeven years later??Full formal verification against IEEE 754 Full formal verification against IEEE 754

floatingfloating--point standardpoint standard–– verify verify samesame gategate--level RTL all traditional dynamic level RTL all traditional dynamic validation is performed onvalidation is performed on

–– mostly routinemostly routine–– easily within development timeframeeasily within development timeframe–– excellent ROI thru easy porting; even across microexcellent ROI thru easy porting; even across micro--architecturesarchitectures

??Good reasons to be confident same can be Good reasons to be confident same can be achieved forachieved for–– controlcontrol-- and memoryand memory--heavy designsheavy designs–– offoff--chip protocols/chipsets: Scalability Port, USBchip protocols/chipsets: Scalability Port, USB




6

Not so fast…Not so fast…




7

Transistor level problemsTransistor level problems

??Cannot be modeled on gateCannot be modeled on gate--levellevel

??Still on discrete level!Still on discrete level!

??Formal equivalence verification issueFormal equivalence verification issue

Because Because oo and and o#o# are held are held to 0 at reset, it takes 2 to 0 at reset, it takes 2 unit delays for the unit delays for the oo and and o#o# to stabilize ...to stabilize ...

-- what if the input data what if the input data was available for only 1 was available for only 1 unit delay?unit delay?




8

‘Analog’ errors‘Analog’ errors??speedspeed--pathspaths

there is a scenario that there is a scenario that

leads to a signal switching leads to a signal switching

22 pico pico seconds too lateseconds too late




9

Physical design issuesPhysical design issues

VDDVDD

VSSVSS




10 Functional correctness only one Functional correctness only one of many design worriesof many design worries

??Silicon errata extremely costlySilicon errata extremely costly–– highly developed classical validation technology highly developed classical validation technology

which will find many bugswhich will find many bugs??FV does not automatically acquires a placeFV does not automatically acquires a place




11

Positioning FVPositioning FV??Multiple overlapping Multiple overlapping ?? --processor projectsprocessor projects

–– any time RTL changes, FV must be redoneany time RTL changes, FV must be redone–– formal verification must be done within the projectsformal verification must be done within the projects–– FV requires more expertise than validationFV requires more expertise than validation–– separate verification teamsseparate verification teams

??Charged against project budgetCharged against project budget




12

Positioning FV Positioning FV ctdctd

??Expectation managementExpectation management–– InitiallyInitially: obtain : obtain blessedblessed RTLRTL

– no amount of validation uncovers additionals bugs– FV of no interest if it applies to ‘sanitized’ RTL

–– RecentlyRecently: also hunting for high: also hunting for high--quality bugsquality bugs– Jury still out




13

SCL’sSCL’s FV FV technologytechnology

STE symposium (CAV 2000)STE symposium (CAV 2000)

http://http://intelintel.com/research/.com/research/sclscl//stesympsitestesympsite..htmhtm




14

Requirements (Whig’s history)Requirements (Whig’s history)??CompleteComplete specifications usually not availablespecifications usually not available??Access to design engineers is always limitedAccess to design engineers is always limited

–– Need exploration/debugging capabilityNeed exploration/debugging capability–– Need versatile ways to build circuit APIsNeed versatile ways to build circuit APIs

??FV is expensiveFV is expensive–– Optimize common case: proof failure/debugging not Optimize common case: proof failure/debugging not

successsuccess–– Use API to isolate effort from RTL changesUse API to isolate effort from RTL changes–– Reuse/maintain verification artifactsReuse/maintain verification artifacts–– Amortize cost over changes Amortize cost over changes andand/or multiple designs/or multiple designs–– Must be soundMust be sound–– Clear what has (not) been provenClear what has (not) been proven




15

Forte verification systemForte verification system??Functional Language: FLFunctional Language: FL

–– What?What?– General purpose interpreted programming language– Everything is a function, i.e., no side effects– Lazy semantics (can deal with infinite objects).

–– Why?Why?– Very high level (10 to 100 times smaller than

equivalent C program)– Convenient to program APIs or FV scripts in– Easy to reason about (precise & simple semantics)– The preferred language type for writing theorem

provers




16

Functional Language: FL Functional Language: FL ctdctd

??Main features:Main features:–– Strongly typed, i.e., safeStrongly typed, i.e., safe– Polymorphic type inference, i.e., convenient– Pattern matching built in, i.e., readable– Abstract data types, i.e., extremely safe–– BDDsBDDs first class objectsfirst class objects, i.e., easy to write symbolic , i.e., easy to write symbolic

algorithmsalgorithms– Garbage collection is built in, i.e., safe and convenient– Dynamic BDD variable reordering built in, i.e.,

convenient –– Efficient (basic) model checker available: STEEfficient (basic) model checker available: STE




17

Example nonExample non--traditional fl codetraditional fl code: let av = variable “a”;a::bool

: let bv = variable “b”;b::bool

: (av XOR bv) = av;it::boolb’

: (av XOR bv) == av;it::boolF

: !x.?y. ((x AND y) OR NOT (x XOR y));it::boolT




18

Example more complex fl codeExample more complex fl code

let cAX (Model R s s’) set =let set’ = bdd_cur_to_next set inquant_forall s’ (R ==> set’);

let cAG (Model R s s’) set =letrec AGR cur =

let new =let cur’ = bdd_cur_to_next cur inquant_forall s’ (set AND (R ==> cur’)) in

if new == cur then cur else AGR new inAGR T;

~50% of the code for a (simple) symbolic CTL model checker!~50% of the code for a (simple) symbolic CTL model checker!




19

Model checking in flModel checking in fl??Model checker (STE) is a builtModel checker (STE) is a built--in command in flin command in fl??As a result: the specification and the commands to As a result: the specification and the commands to

invoke the model checker are both fl programs.invoke the model checker are both fl programs.–– Result:Result:

– Running large number of (smaller) model checking runs becomes practical

– Reasoning about the verification results become reasoning about functional programs.

– Mechanisms to manage and organize large programs are immediately available for large specifications/proofs.

– The programming language provides powerful (textual) abstraction mechanisms making it easier to write high-level specification.




20

Forte Waveform displayForte Waveform display

?? Draws single signals and/or Draws single signals and/or vectorsvectors

?? Can add, delete, duplicate, Can add, delete, duplicate, expand (vectors) any selected expand (vectors) any selected waveformwaveform

?? Allows user to lock a time line Allows user to lock a time line and get values back annotation and get values back annotation onto the circuit canvasonto the circuit canvas

?? Waveforms can be saved as Waveforms can be saved as PostScript codePostScript code




21 Forte Circuit visualizationForte Circuit visualization?? Example of Example of

backback--annotation of annotation of current circuit current circuit valuesvalues

?? For symbolic For symbolic expressions a expressions a pullpull--up window up window is available for is available for more detailsmore details




22

Forte theorem Forte theorem proverprover

??LightLight--weight theorem weight theorem proverprover–– Model checking results as axiomsModel checking results as axioms

– ensure that STE runs cover all cases–– Decomposition of highDecomposition of high--level specificationslevel specifications

– model checkable lemma’s




23

Floating point ADD exampleFloating point ADD example??IEEE Std 754 says:IEEE Std 754 says:

–– “... each of the operations shall be performed as if it first “... each of the operations shall be performed as if it first produced an intermediate result correct to produced an intermediate result correct to infinite precision infinite precision and unbounded rangeand unbounded range, and then [rounded] this intermediate , and then [rounded] this intermediate result to fit in the destination’s format.” (section 5)result to fit in the destination’s format.” (section 5)

–– “When rounding toward negative infinity, the result shall be “When rounding toward negative infinity, the result shall be the format’s value the format’s value closest toclosest to (and (and no greater thanno greater than) the ) the infinitely precise result.” (section 4.2)infinitely precise result.” (section 4.2)

??The topThe top--level spec for FADD (rounding down) islevel spec for FADD (rounding down) is

norm a AND norm b ==>(rounding_mode = TO_NEG_INF) ==>r <= a + b AND // no greater than a + b < r + ulp // closest to AND ...




24 FADD FL Ref ModelFADD FL Ref Model

ReferenceModel

FEU RTL

High level spec

norm a AND norm b ==>(rounding_mode = TO_NEG_INF) ==>r <= a + b < r + ulp ...

// Adapted from: Feldman and Retter,// Computer Architecture (McGraw-Hill, 94)// pp. 489-491let ADDmodel pc rc in1 in2 =...// Find the amount of shift needed let diff = ex2 '-' ex1 in let rsh = MINv diff m in// Do the shiftlet sgf1' = srshift m rsh (sgf1@[F]) in let sgf2' = sgf2@[F] in // Perform the sum (or subtract)let add = (sign fp1 = sign fp2) inlet sum = IF add THENv (sgf2' '+' sgf1')

ELSEv (sgf2' '-' sgf1') // Now perform rounding...




25

A closer look at the ref modelA closer look at the ref model

Executablereference

model

FPU RTL

High level spec

Circuit API

Theorem proving + model checking (manual, highly reusable)

STE (automatic, reusable)API adds design-specificinformation about signal names, timing, …Isolates ref model from RTL changes




26

Verifying RTL against Ref ModelVerifying RTL against Ref Model

-

s1

s2

e1

e2

<<

+

--

norm

++

roun

d

e

s

Adder BDDs blow up because of variable shift




27

Theorem Theorem prover prover supportsupport

??Need to split STE runs in cases with fixed Need to split STE runs in cases with fixed mantissa shiftsmantissa shifts–– theorem prove to make sure all cases are coveredtheorem prove to make sure all cases are covered

??On high levelOn high level–– decompose IEEE spec into properties of rounding, decompose IEEE spec into properties of rounding,

exponent/mantissa values etc.exponent/mantissa values etc.–– Model check these against FL reference modelModel check these against FL reference model–– Invaluable to keep verifier honestInvaluable to keep verifier honest




28

What did we obtainWhat did we obtain??IEEE level functional specs for FP operations of IEEE level functional specs for FP operations of

the FEUthe FEU??Proved correct Proved correct datapathdatapath functionality for these functionality for these

operationsoperations–– all variants, precision and rounding modesall variants, precision and rounding modes

??Compliance verified of the Compliance verified of the samesame gategate--level level descriptionsdescriptions–– on which all preon which all pre--silicon dynamic validation is silicon dynamic validation is

performedperformed–– from which the actual silicon is derivedfrom which the actual silicon is derived

??Extensive reuse (see next slide)Extensive reuse (see next slide)??Floating point FV accepted within IntelFloating point FV accepted within Intel




29

ReuseReuse??P Pro P Pro --> P III> P III

–– ?? --arch change: power saving modesarch change: power saving modes–– minor API changesminor API changes

– Forte’s waveform and circuit viewers essential–– complete reuse of FL models andcomplete reuse of FL models and ThmThm proving effortproving effort

??P III streaming SIMD instructionsP III streaming SIMD instructions–– redesigned APIredesigned API–– moderate redesign of reference models (1 float moderate redesign of reference models (1 float ?? 2 2

packed floats/packed floats/intsints))–– after that: high reuseafter that: high reuse

??P Pro P Pro --> P IV> P IV–– completely new completely new ?? --architecturearchitecture–– reuse of FL models and reuse of FL models and Thm Thm proving effortproving effort




30

Industrial strength FVIndustrial strength FV??Theory development and practical system building Theory development and practical system building

and use should go handand use should go hand--inin--handhand–– Clean theory makes system building manageableClean theory makes system building manageable–– Use of system drives theory developmentUse of system drives theory development

??Developing a general solution is much more Developing a general solution is much more efficient than developing an “optimal” point toolefficient than developing an “optimal” point tool??No assumption that all FV can be “push button”No assumption that all FV can be “push button”??In developing practical FV tools, think In developing practical FV tools, think BIGBIG

–– Today’s circuit are extremely large; even minor Today’s circuit are extremely large; even minor inefficiencies become bottlenecksinefficiencies become bottlenecks

software is




31

TrendsTrends




32

Moore’s lawMoore’s law

Pentium III procPentium III procPentiumPentium®® ProPro

PentiumPentium®® procproc486486

100100

1,0001,000

10,00010,000

100,000100,000

’00’00

FrequencyFrequency(MHz)(MHz)

386386286286

11

1010

’70’70 ’90’90

8086808680858085

808080808008800840044004

’80’800.10.1

30GHz30GHz14GHz14GHz

6.5GHz6.5GHz3 GHz3 GHz

’10’10

~30 GHz~30 GHzFrequency DoublesFrequency Doublesin Two Yearsin Two Years

4004400480088008

8080808080858085 80868086

286286386386

486486 Pentium procPentium procPentiumPentium®® ProPro

PentiumPentium®® IIIIII

1.8B1.8B

425M425M

0.0010.001

0.010.01

0.10.1

11

1010

100100

1,0001,000

10,00010,000

’70’70 ’80’80 ’90’90 ’00’00 ’10’10

TransistorsTransistors(MT)(MT)

~2B Transistors~2B TransistorsTransistors DoubleTransistors DoubleEvery Two YearsEvery Two Years




33

Power…Power…

dI/

dI/d

td

t

DeliveryDelivery

1 1

10 10

100 100

386386486486

Pentium ® procPentium ® proc

Pentium ® ProPentium ® Pro

1.5u1.5u .8u.8u .35u.35u .18u.18u .1u.1u

1000 1000

10000 10000

Hot PlateHot Plate

Nuclear ReactorNuclear Reactor

Rocket NozzleRocket Nozzle

Sun’s SurfaceSun’s Surface

400440048008800880808080

80858085

80868086

286286386386

486486

PentiumPentium®®

processorsprocessors

11

1010

100100

1,0001,000

10,00010,000

’70’70 ’80’80 ’90’90 ’00’00 ’10’10

Pow

er D

ensi

tyP

ower

Den

sity

(W/c

m2)

(W/c

m2)

DensityDensityHot SpotHot Spot

Obviously, this trend cannot continueObviously, this trend cannot continue




34

ConsequencesConsequences??Marketing drive to use full transistor budget Marketing drive to use full transistor budget

for performance increasefor performance increase–– super scalar, out of order, branch prediction, super scalar, out of order, branch prediction,

speculation, ...speculation, ...??Power density trend forces change in microPower density trend forces change in micro--

architectural designarchitectural design–– clock gating, throttling, clock gating, throttling, dynamic frequency & dI/dynamic frequency & dI/dtdt

control, ...control, ...??Ever more complex microEver more complex micro--architecturearchitecture

Moore’s

curse

Moore’s

curse




35

Moore’s curseMoore’s curse??# execution paths roughly exponential in # execution paths roughly exponential in

number of gates (transistors)number of gates (transistors)??Classical validation (and design) methods are Classical validation (and design) methods are

fighting a loosing battlefighting a loosing battle

1

16

486

Relative # of Bugs

filed against design

Next Generation

Pentium ® Pentium ®Pro

Pentium ® 4

90

100

486 Pentium® Pentium ®Pro

Detectionrate(%)?

Pentium ® 4

Bug creation detection




36

Intel produces more Intel produces more microprocessors now in microprocessors now in 2 quarters than the 2 quarters than the 386/486 did in 12386/486 did in 12

& escapes can have an & escapes can have an increasing $ impactincreasing $ impact

0

Pentium ® IV

Pentium ®

Product Ramps

Time

Volume




37 Basic Formal Verification Basic Formal Verification technology not really keeping uptechnology not really keeping up

??Symbolic Model Checking:Symbolic Model Checking:??~400 state variables with rich ~400 state variables with rich

control logiccontrol logic??Symbolic TrajectorySymbolic Trajectory EvalEval..??~8,000 state variables with limited ~8,000 state variables with limited

control logiccontrol logic??Generalized STE for rich control??Generalized STE for rich control??

??Certainly not on similar Certainly not on similar exponential growth curveexponential growth curve




38

Although trend data for Although trend data for software design are hard to software design are hard to come by, I would maintain come by, I would maintain they follow the same patternthey follow the same pattern




39

Ducking the trendDucking the trend

??Deploy FV on more ‘abstract’ Deploy FV on more ‘abstract’ modelsmodels–– Hence, integrate FV in the design processHence, integrate FV in the design process

– otherwise very difficult to migrate FV results to implementation

– implies FV must evolve from arcane art to mature science

– methodology– versatile tool support

you can do worse than a forteyou can do worse than a forte--like systemlike system




40

Ducking the trend Ducking the trend ctdctd??Leverage abstract interpretation/static Leverage abstract interpretation/static

analysis in FV toolsanalysis in FV tools

–– Recent examplesRecent examples

– Bebob; Ball/Rajamani; Microsoft research– AX and successors; Holzmann, Bell labs

–– Research suggestionResearch suggestion– Develop abstract interpration FV tool bench +

methodology for clean language (say functional)

Crude syntactic analysis Model checkingAbstract interpretationAbstract interpretation

we can do worse than taking our cue from such researchwe can do worse than taking our cue from such research




41

QUESTIONS?QUESTIONS?




42

BackupBackup




43

Two key STE ideasTwo key STE ideas??Transition relation ultraTransition relation ultra--partionedpartioned

–– graph of graph of booleanboolean gates + their transfer functionsgates + their transfer functions–– post images partitioned in same waypost images partitioned in same way

??Compute over below latticeCompute over below lattice–– X is a fixed point for every gateX is a fixed point for every gate–– automatic dynamic pruning (slicing)automatic dynamic pruning (slicing)

– as long as a gate is not relevant for computation its inputs (and outputs) will have value X

X0 1

T

{F,T}{F} {T}

{}

?GSTE far reaching GSTE far reaching generalization of STE and generalization of STE and formally defined as an formally defined as an abstract interpretationabstract interpretation




44

verification as if your life depends on it - netlib · 2001-05-27 · title: rob gerth - spin01.pdf...

Documents